Skip to content

Instantly share code, notes, and snippets.

View willemdh's full-sized avatar
👁️
Consolidating

Willem D'Haese willemdh

👁️
Consolidating
View GitHub Profile
/*
TaskManagerSecret
Author: @splinter_code
This is a very ugly POC for a very unreliable UAC bypass through some UI hacks.
The core of this hack is stealing and using a token containing the UIAccess flag set.
A trick described by James Forshaw, so all credits to him --> https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html
From there it uses a task manager "feature" to run a new High IL cmd.exe.
This has been developed only for fun and shouldn't be used due to its high unreliability.
@Mikaayenson
Mikaayenson / sample_chatgpt_security_use_case.py
Last active September 2, 2023 17:29
Sample use case to demonstrate applying the new chatGPT model to security summaries.
import openai
import requests
import textwrap
import uuid
# pip3 install openai requests
# setup the API credentials
es_username = "<your username>"
es_password = "<your password>"
es_url = "https://localhost:9200"
sequence by host.id with maxspan=1m
[registry where registry.path : "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*"] by registry.data.strings
[process where event.action == "start" and
/* recently created files */
process.Ext.relative_file_creation_time < 500] by process.executable
@andrewkroh
andrewkroh / filebeat-to-fleet.md
Last active January 17, 2023 20:26
Routing Filebeat data to a Fleet integration data stream

DRAFT: Routing Filebeat data to a Fleet integration data stream

This is an unofficial tutorial that may be useful to users that are in the process of migrating to to Elastic Agent and Fleet. It explains the steps to route some Filebeat data into a data stream managed by a Fleet integration package.

Install the Fleet integration

Installing a Fleet integration sets up all of its data streams and dashboards. There are two methods to install. In these examples we install the Hashicorp Vault 1.3.1 integration.

Use Kibana (easiest)

@SwitHak
SwitHak / 20211210-TLP-WHITE_LOG4J.md
Last active October 26, 2024 22:02
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

  • Royce Williams list sorted by vendors responses Royce List
  • Very detailed list NCSC-NL
  • The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List
@Neo23x0
Neo23x0 / log4j_rce_detection.md
Last active September 11, 2024 21:41
Log4j RCE CVE-2021-44228 Exploitation Detection

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
@bzerangue
bzerangue / json-to-ndjson.md
Last active January 31, 2024 20:57
JSON to NDJSON

NDJSON is a convenient format for storing or streaming structured data that may be processed one record at a time.

  • Each line is a valid JSON value
  • Line separator is ‘\n’

1. Convert JSON to NDJSON?

cat test.json | jq -c '.[]' > testNDJSON.json
@leopucci
leopucci / auditmap.go
Last active April 16, 2019 10:38
Windows 10 msobjs.dll audit list converted to go map
auditMessageMap := map[int]string{
279: "Undefined Access (no effect) Bit 7",
1536: "Unused message ID",
1537: "DELETE",
1538: "READ_CONTROL",
1539: "WRITE_DAC",
1540: "WRITE_OWNER",
1541: "SYNCHRONIZE",
1542: "ACCESS_SYS_SEC",
1543: "MAX_ALLOWED",
@andrewkroh
andrewkroh / event1.json
Last active August 2, 2022 15:22
Winlogbeat - Sysmon Processing for ECS (Elastic Common Schema)
{
"@timestamp": "2019-01-29T19:10:47.538Z",
"beat": {
"hostname": "DESKTOP",
"name": "DESKTOP",
"version": "6.3.2"
},
"event": {
"kind": "event"
},